DARPA announces results of first-ever bug bounty focused on hardware security

By Justin Doubleday / January 28, 2021 at 4:51 PM

The Defense Advanced Research Projects Agency announced the completion of its first ever bug bounty program today, with the project validating the agency's work on secure hardware architectures.

The "Finding Exploits to Thwart Tampering" bug bounty was held between July and October 2020, with the agency spending the last three months reviewing the 13,000 hours of "hacking exploits" by more than 580 cybersecurity researchers.

The hackers tested the work of the System Security Integration Through Hardware and Firmware program, which "aims to develop security architectures and tools that protect electronic systems against common classes of hardware vulnerabilities exploited through software," according to DARPA.

The bug bounty program "proved the value" of the program, while also "pinpointing critical areas to further harden defenses," DARPA announced. During the three-month bounty, the security researchers discovered 10 vulnerabilities.

"The majority of the bug reports did not come from exploitation of the vulnerable software applications that we provided to the researchers, but rather from our challenge to the researchers to develop any application with a vulnerability that could be exploited in contradiction with the SSITH processors' security claims," DARPA program manager Keith Rebello said. "We're clearly developing hardware defenses that are raising the bar for attackers."

DARPA teamed up with the Defense Digital service and cybersecurity firm Synack to carry out the program. DDS runs the "Hack the Pentagon" bug bounty program. Bug bounties give "white-hat hackers" a forum to probe systems for vulnerabilities so they can report them without fear of reprisal from law enforcement authorities.